CN110855676A

CN110855676A - Network attack processing method and device and storage medium

Info

Publication number: CN110855676A
Application number: CN201911121421.9A
Authority: CN
Inventors: 林万程; 洪旭升; 马松松
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-11-15
Filing date: 2019-11-15
Publication date: 2020-02-28
Anticipated expiration: 2039-11-15
Also published as: CN110855676B

Abstract

The invention provides a network attack processing method, a network attack processing device, electronic equipment and a storage medium; the method comprises the following steps: acquiring a network attack request intercepted by a firewall; decomposing the acquired network attack request, and matching the decomposed network attack request with an attack discrimination database to determine an attack character string; generalizing the attack character string, and segmenting the generalized attack character string; matching the segmented attack character string with a keyword list to determine an attack part in the attack character string; matching the attack part with the keyword list again, and replacing character strings which are not in the keyword list in the attack part with random character strings; and determining the replaced attack part as an attack load. By the method and the device, the attack load can be effectively extracted from the network attack request, so that the development of application aiming at the attack load is supported.

Description

Network attack processing method and device and storage medium

Technical Field

The present invention relates to the field of computer security technologies, and in particular, to a method and an apparatus for processing a network attack, an electronic device, and a storage medium.

Background

In recent years, with the continuous development of network technology, network (Web) applications have brought convenience to the life of people, but at the same time, Web applications have become an important target of network attacks. In order to defend against various Web attacks, a Web Application Firewall (WAF) is usually deployed in front of the Web Application, and the WAF blocks malicious attack requests by detecting features in HTTP/HTTPs messages.

However, the Web application firewall provided by the related art only records information such as a complete network attack request and an attack type, and cannot give an attack load for performing an attack in the network attack request, so that an application to the attack load cannot be developed.

Disclosure of Invention

Embodiments of the present invention provide a network attack processing method and apparatus, an electronic device, and a storage medium, which can effectively extract an attack load from a network attack request, thereby supporting development of an application for the attack load.

The technical scheme of the embodiment of the invention is realized as follows:

the embodiment of the invention provides a network attack processing method, which comprises the following steps:

acquiring a network attack request intercepted by a firewall;

decomposing the acquired network attack request, and matching the decomposed network attack request with an attack discrimination database to determine an attack character string;

generalizing the attack character string, and segmenting the generalized attack character string;

matching the segmented attack character string with a keyword list to determine an attack part in the attack character string;

matching the attack part with the keyword list again, and replacing character strings which are not in the keyword list in the attack part with random character strings;

and determining the replaced attack part as an attack load.

An embodiment of the present invention provides a processing apparatus for network attacks, including:

the acquisition module is used for acquiring a network attack request intercepted by a firewall;

the decomposition module is used for decomposing the network attack request acquired by the acquisition module;

the matching module is used for matching the network attack request decomposed by the decomposition module with the attack discrimination database so as to determine an attack character string;

the generalization module is used for carrying out generalization processing on the attack character string determined by the matching module;

the segmentation module is used for segmenting the attack character string after the generalization module is generalized;

the matching module is also used for matching the attack character string which is segmented by the segmentation module with the keyword list so as to determine the attack part in the attack character string;

the matching module is further used for matching the attack part with the keyword list again and replacing character strings in the attack part, which are not in the keyword list, with random character strings;

and the determining module is used for determining the replaced attack part as the attack load.

In the foregoing solution, the obtaining module is further configured to obtain at least one of the following contents included in the network attack request: the internet protocol address of the request client, the request header, the content of the request body, the type of the hit interception rule, and the identity of the interception rule.

In the above scheme, the decomposition module is further configured to decompose a request header, Cookies, Get parameters, and submit Post parameters included in the network attack request, and store each decomposed part in a dictionary form of key value pairs.

In the above scheme, the matching module is further configured to match the decomposed parts with the attack rules in the attack discrimination database one by one based on the regular expression.

In the foregoing solution, the generalization module is further configured to perform at least one of the following processes on the content in the attack string:

replacing a space with a continuous blank character;

replacing the number with zero;

replacing the uniform resource locator string initiated in the hypertext transfer protocol format with a link string;

a hash string consisting of consecutive numbers and large and small alphabets is replaced with a hash string.

In the above scheme, the segmentation module is further configured to segment the attack character string after the generalization processing based on a preset special symbol as a segmentation point.

In the above scheme, the matching module is further configured to traverse the segmented attack character string in a forward order, perform backtracking when a first keyword in the keyword list is matched, and use an adjacent symbol before the backtracked first keyword as a start position of the attack part;

traversing the segmented attack character string in a reverse order, when a second keyword in the keyword list is matched, backtracking, and taking an adjacent symbol behind the backtracked second keyword as an end position of the attack part;

the first keyword is a first matched keyword when the attack character string is traversed in a positive sequence, and the second keyword is a first matched keyword when the attack character string is traversed in a reverse sequence.

In the foregoing solution, the apparatus further includes a storage module, configured to store the attack payload in a blockchain network.

In the foregoing solution, the apparatus further includes a response module, configured to, in response to a request for developing an application based on the attack load, obtain a requested attack load from the blockchain network, and send the obtained attack load to an application server, so that the application server can use the obtained attack load to launch the application based on the requested attack load

The application server executes at least one of the following applications based on the acquired attack load:

testing the firewall based on the attack load;

realizing content analysis of the network attack request based on the attack load;

and marking the attack load as a data set for training and identifying a machine learning model of the network attack request.

An embodiment of the present invention provides a processing device for network attacks, including:

a memory for storing executable instructions;

and the processor is used for realizing the network attack processing method provided by the embodiment of the invention when the executable instruction stored in the memory is executed.

The embodiment of the invention provides a storage medium, which stores executable instructions and is used for causing a processor to execute so as to realize the network attack processing method provided by the embodiment of the invention.

The embodiment of the invention has the following beneficial effects:

by further decomposing, matching, generalizing, segmenting and replacing the network attack request intercepted by the firewall, the attack load can be effectively extracted from the network attack request, and the application aiming at the attack load is supported to be developed.

Drawings

Fig. 1 is an alternative architecture diagram of a network attack processing system according to an embodiment of the present invention;

fig. 2 is an alternative structural diagram of a processing device for network attacks provided by an embodiment of the present invention;

fig. 3 is an alternative flowchart of a network attack processing method according to an embodiment of the present invention;

fig. 4 is an alternative flowchart of a network attack processing method according to an embodiment of the present invention;

fig. 5 is an alternative flowchart of a network attack processing method according to an embodiment of the present invention;

FIG. 6 is an alternative architecture diagram of a network attack processing system according to an embodiment of the present invention;

fig. 7 is an optional flowchart of a network attack processing method according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.

In the description that follows, references to the terms "first", "second", and the like, are intended only to distinguish between similar objects and not to indicate a particular ordering for the objects, it being understood that "first", "second", and the like may be interchanged under certain circumstances or sequences of events to enable embodiments of the invention described herein to be practiced in other than the order illustrated or described herein.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.

Before further detailed description of the embodiments of the present invention, terms and expressions mentioned in the embodiments of the present invention are explained, and the terms and expressions mentioned in the embodiments of the present invention are applied to the following explanations.

1) Web Application Firewall (WAF, Web Application Firewall): the system is also called a website application level intrusion prevention system, and blocks malicious attack requests by detecting characteristics in hypertext Transfer Protocol (HTTP) or hypertext Transfer security Protocol (HTTPs) messages.

2) Attack load (attack payload): refers to a specific character or code segment used for attack in a malicious attack request.

The inventor finds that, in the process of implementing the embodiment of the present invention, when network attack processing is performed in the related art, an unsupervised learning method is usually adopted to identify the abnormal degree of different parameter requests under the same Common Gateway Interface (CGI), so as to extract the parameters of malicious attack. However, the method only stops at extracting the parameters of the malicious attack, and does not further process the extracted parameters of the malicious attack.

In addition, the related technology also provides a scheme that after the attack parameters are extracted, a character string formed by starting from the first abnormal character to the last character in the attack parameters is used as the attack characteristic. However, this scheme also has the problem of unclean attack payload extraction in some cases. For example, for an attack parameter of the form "123-. As can be seen, the random variable "-456-789" still exists in the extracted attack features, and the extracted attack payload is not clean.

In addition, the related art also provides a scheme for extraction, induction and maintenance by human, which is common in the scenario for WAF testing, for example, in some open-source payload libraries. However, the manual method has the disadvantages of high maintenance cost, low efficiency and the like, and particularly, in the case of automatic scanning, the cost of manually performing attack payload extraction is higher.

In contrast, after the network attack request intercepted by the firewall is obtained, the obtained network attack request can be further analyzed, an attack payload is extracted, and the extracted attack payload can be used for testing the WAF, analyzing the intercepted content based on the attack payload, marking the attack payload, and serving as a data set for training a machine learning model for identifying the network attack request, so that the network attack request intercepted by the firewall can be obtained; decomposing the acquired network attack request, and matching the decomposed network attack request with an attack discrimination database to determine an attack character string; generalizing the attack character string, and segmenting the generalized attack character string; matching the segmented attack character string with a keyword list to determine an attack part in the attack character string; matching the attack part with the keyword list again, and replacing character strings which are not in the keyword list in the attack part with random character strings; and determining the replaced attack part as an attack load.

In view of this, embodiments of the present invention provide a method and an apparatus for processing a network attack, an electronic device, and a storage medium, which can effectively extract an attack load from a network attack request, thereby supporting development of an application for the attack load.

The following describes an exemplary application of the network attack processing device provided in the embodiment of the present invention, and the device provided in the embodiment of the present invention may be implemented as various types of user terminals such as a notebook computer, a tablet computer, a desktop computer, a set-top box, a mobile device (e.g., a mobile phone, a portable music player, a personal digital assistant, a dedicated messaging device, and a portable game device), may also be implemented as a server or a server cluster, and may also be implemented in a manner that the user terminal and the server cooperate with each other. In the following, an exemplary application will be explained when the device is implemented as a server.

Referring to fig. 1, fig. 1 is a schematic diagram of an alternative architecture of a processing system 100 for network attacks according to an embodiment of the present invention. As shown in fig. 1, a user (e.g., a hacker) sends an HTTP request through a browser 410 on a user terminal 400 (user terminal 400-1 and user terminal 400-2 are illustratively shown), which is sent to a Web application firewall 500 through a network 300, which network 300 may be a wide area network or a local area network, or a combination of both. After receiving the HTTP request sent by the user terminal 400, the Web application firewall 500 detects the features in the received HTTP message, determines whether the features match attack features in an attack database, and determines that the HTTP request is a malicious attack and intercepts the malicious attack when the features match the attack features in the attack database. The server 200 acquires the HTTP request of the malicious attack intercepted by the Web application firewall 500, decomposes the acquired HTTP request, and matches the decomposed HTTP request with the attack discrimination database to determine the attack string. Next, the server 200 generalizes the attack string, divides the generalized attack string, and then matches the divided attack string with the keyword list to determine an attack part in the attack string. Finally, the server 200 matches the determined attack part with the keyword list again, replaces character strings in the attack part which are not in the keyword list with random character strings, and determines the replaced attack part as an attack load.

Referring to fig. 2, fig. 2 is a schematic structural diagram of a server 200 according to an embodiment of the present invention, taking a processing device of a network attack as the server 200 as an example, where the server 200 shown in fig. 2 includes: at least one processor 210, memory 250, at least one network interface 220, and a user interface 230. The various components in server 200 are coupled together by a bus system 240. It is understood that the bus system 240 is used to enable communications among the components. The bus system 240 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 240 in fig. 2.

The Processor 210 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor, or the like.

The user interface 230 includes one or more output devices 231, including one or more speakers and/or one or more visual display screens, that enable the presentation of media content. The user interface 230 also includes one or more input devices 232, including user interface components that facilitate user input, such as a keyboard, mouse, microphone, touch screen display, camera, other input buttons and controls.

The memory 250 may be removable, non-removable, or a combination thereof. Exemplary hardware devices include solid state memory, hard disk drives, optical disk drives, and the like. Memory 250 optionally includes one or more storage devices physically located remotely from processor 210.

The memory 250 includes volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The nonvolatile Memory may be a Read Only Memory (ROM), and the volatile Memory may be a Random Access Memory (RAM). The memory 250 described in embodiments of the invention is intended to comprise any suitable type of memory.

In some embodiments, memory 250 is capable of storing data, examples of which include programs, modules, and data structures, or a subset or superset thereof, to support various operations, as exemplified below.

An operating system 251 including system programs for processing various basic system services and performing hardware-related tasks, such as a framework layer, a core library layer, a driver layer, etc., for implementing various basic services and processing hardware-based tasks;

a network communication module 252 for communicating to other computing devices via one or more (wired or wireless) network interfaces 220, exemplary network interfaces 220 including: bluetooth, wireless compatibility authentication (WiFi), and Universal Serial Bus (USB), etc.;

a presentation module 253 to enable presentation of information (e.g., a user interface for operating peripherals and displaying content and information) via one or more output devices 231 (e.g., a display screen, speakers, etc.) associated with the user interface 230;

an input processing module 254 for detecting one or more user inputs or interactions from one of the one or more input devices 232 and translating the detected inputs or interactions.

In some embodiments, the processing apparatus for network attack provided by the embodiments of the present invention may be implemented in software, and fig. 2 illustrates the processing apparatus 255 for network attack stored in the memory 250, which may be software in the form of programs and plug-ins, and includes the following software modules: the obtaining module 2551, the decomposing module 2552, the matching module 2553, the generalizing module 2554, the partitioning module 2555, the determining module 2556, the storing module 2557 and the responding module 2558, which are logical, may be arbitrarily combined or further split according to the implemented functions. The functions of the respective modules will be explained below.

In other embodiments, the apparatus for processing the network attack provided by the embodiments of the present invention may be implemented in hardware, and as an example, the apparatus provided by the embodiments of the present invention may be a processor in the form of a hardware decoding processor, which is programmed to perform the method for processing the network attack provided by the embodiments of the present invention, for example, the processor in the form of the hardware decoding processor may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), or other electronic components.

The following describes a method for processing a network attack according to an embodiment of the present invention, with reference to an exemplary application of the processing device for a network attack, which is provided by the embodiment of the present invention, when the processing device is implemented as a server.

Referring to fig. 3, fig. 3 is an optional flowchart of a method for processing a network attack according to an embodiment of the present invention, and will be described with reference to the steps shown in fig. 3.

In step S301, the server obtains a network attack request intercepted by the firewall.

Here, the network attack Request includes various Web attack modes that may cause denial of service to the Web server, such as a Structured Query Language (SQL) injection attack Request, a Cross Site Scripting attack Request (XSS), and a Cross-Site Request Forgery attack Request (CSRF).

For example, taking an SQL injection attack request as an example, an example of an SQL injection attack request acquired by a server is as follows:

GET

/cgi-bin/session/checklogin？appid＝wxcbc3ab3807acb685&openid＝oA0GbjokU2EOG3o_TvAmBNpvodlE&fskey＝v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmfWHERE 8610＝8610AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1 HTTP/1.1

Host:ifzq.gtimg.cn

User-Agent:Go-http-client/1.1

Content-Type:application/json；charset＝utf-8

Cookie:

Accept-Encoding:gzip

the Host is a Host and a port, the User-Agent is the name of a client browser, the Content-Type is a Multipurpose Internet Mail extension Type (MIME) to which a document belongs, the Cookie is a stored Cookie object, and the Accept-Encoding is a data Encoding Type which the browser knows how to decode.

In step S302, the server decomposes the acquired network attack request, and matches the decomposed network attack request with an attack discrimination database to determine an attack string.

In some embodiments, after acquiring the complete HTTP request, the server decomposes the request header, Cookies, Get parameters, and submit Post parameters included in the HTTP request, and stores each decomposed part in a dictionary of key-value pairs.

For example, taking the SQL injection attack request as an example, the Get parameter included in the SQL injection attack request is decomposed into an apid, an openid, and an fskey, and the apid, the openid, and the fskey are used as keys, and the corresponding parameters are stored as values, with the following results:

{'appid':['wxcbc3ab3807acb685'],'openid':['oA0GbjokU2EOG3o_TvAmBNpvodlE'],'fskey':["v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 8610＝8610AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1"]}

in other embodiments, the decomposed content is judged by its structure while the decomposition is performed: if beginning with { "and possibly a json string, attempting to parse using the format of the json string; and if the attack character string is in an XML form or a URL form, further decomposing to completely locate the attack character string on the premise of not dividing the attack character string as much as possible.

After the decomposition is finished, aiming at each decomposed part, matching is carried out one by one in a regular expression mode so as to determine the attack character string.

For example, taking the decomposed SQL injection attack request as an example, when determining the attack string, the decomposed SQL injection attack request is matched with the attack rule in the attack discrimination database to determine the matching position. When matching is performed, the attack rule of each type of attack has a corresponding attack matching pattern, and the attack matching patterns can be regular expressions of some characteristics. Matching each decomposed part with an attack matching mode in an attack discrimination database, and returning a matching position, wherein a parameter corresponding to the matching position is an attack character string. For example, when the decomposed SQL injection attack request is matched with the attack discrimination database, the returned matching position is fskey, and the corresponding determined attack string is:

v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 8610＝8610 AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1

in step S303, the server generalizes the attack string and divides the generalized attack string.

Referring to fig. 4, fig. 4 is an optional flowchart of a method for processing a network attack according to an embodiment of the present invention, and in some embodiments, step S303 shown in fig. 3 may be implemented by steps S3031 to S3035 shown in fig. 4, which will be described with reference to each step.

Here, after the attack string is determined, the content in the attack string is processed to a certain extent so as to unify some randomly changing values in the attack string.

Step S3031: a continuous blank character is replaced with a space.

When continuous blank characters exist in the determined attack character string, the continuous blank characters are replaced by a blank space.

Step S3032: the number is replaced with zero.

And when the numbers exist in the determined attack character string, replacing all the numbers with zero.

For example, assume that the determined attack string is:

the result of executing step S3032 is:

v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 0＝0 AND(SELECT*FROM(SELECT(SLEEP(0)))wxmf)limit 0

wherein the numbers 8610, 4, 1 are all replaced by 0.

Step S3033: a uniform resource locator string that starts in a hypertext transfer protocol format is replaced with a link string.

When a URL string in the form of HTTP:// beginning exists in the determined attack string, it is replaced with the link string { link }.

Step S3034: a hash string consisting of consecutive numbers and upper and lower case letters is replaced with a hash string.

And when the determined attack string has a hash string consisting of continuous numbers and upper and lower case letters randomly, replacing the determined attack string with the hash string { hash }.

For example, assume that the determined attack string is:

the result of executing step S3034 is:

{hash}')AS wxmf WHERE 8610＝8610 AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1

in which the hash string v0ae789cc105c8d00bfcf5e7fe13a88b, consisting of consecutive numbers and upper and lower case letters randomly, is replaced by the hash string { hash }.

It should be noted that steps S3031 to S3034 are not limited to be executed in the above sequential order, and may be executed in any sequential order or simultaneously.

Step S3035: and based on the preset special symbol as a segmentation point, carrying out segmentation processing on the attack character string after generalization processing.

After generalization processing is performed on the content in the attack string, further segmentation processing is performed on the content based on a preset special symbol as a segmentation point, wherein the preset special symbol comprises: +& \! "i'" - (); @ # $ < >, { }.

For example, taking the attack string after the generalization process as an example, the result after the segmentation process is as follows:

["{hash}","'",')',”,'AS',”,'wxmf',”,'WHERE',”,'0','＝','0',”,'AND',”,'(','SELECT','*','FROM','(','SELECT','(','SLEEP','(','0',')',')',')','wxmf',')',”,'limit',”,'0']

in step S304, the server matches the attack string after the segmentation processing with the keyword list to determine an attack part in the attack string.

In some embodiments, since random parameters irrelevant to the attack may also exist in the attack string determined in step S302, further processing needs to be performed on the determined attack string, the random parameters irrelevant to the attack are deleted, and only a part used for the attack is reserved.

Referring to fig. 5, fig. 5 is an optional flowchart of a method for processing a network attack according to an embodiment of the present invention, and in some embodiments, step S304 shown in fig. 3 may be implemented by step S3041 to step S3042 shown in fig. 5, and will be described with reference to each step.

In some embodiments, the keyword list may be obtained by: for example, the attack character strings extracted from the WAF are first deduplicated, then word frequency statistics is performed for different attack types, high-frequency words appearing in some attack character strings are extracted, and meanwhile, keywords applied to some documents can be collected to form a keyword list, for example, in the keyword list of SQL injection attack, SQL injection commonly used keyword phrases such as xor, insert, limit, load _ file, floor, update, and update xml are included.

Step S3041: traversing the segmented attack character string in a forward order, and when a first keyword in the keyword list is matched, backtracking, wherein an adjacent symbol before the backtracked first keyword is used as the starting position of the attack part; and the first keyword is a keyword which is first matched when the attack character string is traversed in a positive sequence.

Taking the segmented attack string AS an example, the segmented attack string is subjected to forward sequence traversal from front to back, matched with the first keyword AS, traced back, and retained adjacent symbols 'before the first keyword AS), and is used AS an actual start position of a part for attack, and a part, which is not related to attack, before the symbol') is deleted.

Step S3042: traversing the segmented attack character string in a reverse order, when a second keyword in the keyword list is matched, backtracking, and taking an adjacent symbol behind the backtracked second keyword as an end position of the attack part; and the second keyword is the first matched keyword when the attack character string is traversed in a reverse order.

For example, taking the segmented attack string as an example, the segmented attack string is traversed from back to front in a reverse order, the second keyword limit is matched, backtracking is performed, the adjacent symbol 0 after the second keyword limit is reserved, the adjacent symbol 0 is used as an actual end position of a part used for attack, and a part which is not related to attack behind the symbol 0 is deleted. Thus, the attack portion of the attack string after the segmentation process is obtained through steps S3041 to S3042 as follows:

')AS wxmf WHERE 0＝0 AND(SELECT*FROM(SELECT(SLEEP(0)))wxmf)limit 0

where the hash string { hash } unrelated to the attack is deleted, leaving only the portion for the attack.

Here, the reason why the keyword is not used as the start position and the end position of the attack part but symbols before and after the keyword are used as the actual start position and the actual end position of the attack part is to retain the original attack characteristics.

In step S305, the server matches the attack part with the keyword list again, and replaces the character string in the attack part that is not in the keyword list with a random character string.

In some embodiments, there may be some randomly changed values in the attack part determined through steps S3041 to S3042, and therefore, further unification of these randomly changed values is required.

For example, taking the determined attack part as an example, the determined attack part is matched with the SQL injection attack request keyword list again, and a character string in the attack part, which is not in the SQL injection attack request keyword list, is replaced with a random character string { rand }, which indicates that the content of the position may not be fixed and that the parameter may be random. Thus, the result of the above attack part after being matched and replaced again is as follows:

')AS{rand}WHERE 0＝0 AND(SELECT*FROM(SELECT(SLEEP(0))){rand})limit 0

wherein the string wxmf is replaced by a random string { rand }.

In other embodiments, when a character string in the attack part, which is not in the keyword list, is located at the start position or the end position of the attack part, the character string is directly deleted.

In step S306, the server determines the replaced attack portion as an attack payload.

Here, the server can extract an attack load for performing an attack from the network attack request, and then, the server associates the extracted attack load with one packet and stores it in the database, via steps S301 to S305. Subsequently, various applications may be developed based on the stored attack load, such as: testing the WAF based on the stored attack load, analyzing content intercepted by the firewall based on the stored attack load, and the like.

In other embodiments, the server may also save the extracted attack payload into a Blockchain (Blockchain). The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm. The block chain, which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block.

The blockchain network may include a blockchain underlying platform, a platform product services layer, and an application services layer.

The underlying platform of the blockchain network may include processing modules for user management, basic services, intelligent contracts, and operation monitoring. The user management module is responsible for identity information management of all blockchain participants, and comprises public and private key generation maintenance (account management), key management, user real identity and blockchain address corresponding relation maintenance (authority management) and the like, and under the authorization condition, the user management module supervises and audits the transaction condition of certain real identities and provides rule configuration (wind control audit) of risk control; the basic service module is deployed on all block chain node equipment and used for verifying the validity of the service request, recording the service request to storage after consensus on the valid request is completed, for a new service request, the basic service firstly performs interface adaptation analysis and authentication processing (interface adaptation), then encrypts service information (consensus management) through a consensus algorithm, transmits the service information to a shared account (network communication) completely and consistently after encryption, and performs recording and storage; the intelligent contract module is responsible for registering and issuing contracts, triggering the contracts and executing the contracts, developers can define contract logics through a certain programming language, issue the contract logics to a block chain (contract registration), call keys or other event triggering and executing according to the logics of contract clauses, complete the contract logics and simultaneously provide the function of upgrading and canceling the contracts; the operation monitoring module is mainly responsible for deployment, configuration modification, contract setting, cloud adaptation in the product release process and visual output of real-time states in product operation, such as: alarm, monitoring network conditions, monitoring node equipment health status, and the like.

Referring to fig. 6, fig. 6 is a schematic diagram of an alternative architecture of a network attack processing system according to an embodiment of the present invention. As shown in fig. 6, a user (e.g., a hacker) sends an HTTP request through the browser 410 on the user terminal 400, the HTTP request is sent to the Web application firewall 500 through the network 300, and after extracting an attack load from the HTTP request of a malicious attack intercepted by the Web application firewall 500, the server 200 uplink-stores the attack load, that is, stores the attack load in the blockchain network 600 (the blockchain network 600 includes a node 610-1, a node 610-2, and a node 610-3 is exemplarily shown). When the application server 700 requests the server 200 for the attack load, the server 200 obtains the saved attack load from the blockchain network 600 and returns the saved attack load to the application server 700, and the application server 700 receives the attack load sent by the server 200 and develops various applications based on the received attack load.

In other embodiments, the server 200 may also store the attack payload in a database and save the corresponding hash value in the blockchain network 600. The application server 700 obtains an attack load from the database, requests a corresponding hash value from the blockchain network 600 through the server 200, and develops various applications based on the attack load returned by the database if the hash value is verified to be consistent.

Continuing with the exemplary structure of the network attack processing device 255 provided by the embodiment of the present invention implemented as a software module, in some embodiments, as shown in fig. 2, the software module stored in the network attack processing device 255 of the memory 250 may include: an acquisition module 2551, a decomposition module 2552, a matching module 2553, a generalization module 2554, a segmentation module 2555, a determination module 2556, a storage module 2557, and a response module 2558.

The obtaining module 2551 is configured to obtain a network attack request intercepted by a firewall;

the decomposing module 2552 is configured to decompose the network attack request acquired by the acquiring module 2551;

the matching module 2553 is configured to match the network attack request decomposed by the decomposition module 2552 with an attack discrimination database to determine an attack character string;

the generalization module 2554 is configured to perform generalization processing on the attack character string determined by the matching module 2553;

the segmentation module 2555 is configured to segment the attack character string after the generalization processing by the generalization module 2554;

the matching module 2553 is further configured to match the attack string segmented by the segmentation module 2555 with the keyword list, so as to determine an attack part in the attack string;

the matching module 2553 is further configured to match the attack part with the keyword list again, and replace a character string in the attack part that is not in the keyword list with a random character string;

the determining module 2556 is configured to determine the replaced attack part as an attack payload.

In some embodiments, the obtaining module 2551 is further configured to obtain at least one of the following contents included in the network attack request: the internet protocol address of the request client, the request header, the content of the request body, the type of the hit interception rule, and the identity of the interception rule.

In some embodiments, the decomposing module 2552 is further configured to decompose a request header, Cookies, Get parameters, and submit Post parameters included in the network attack request, and store each decomposed part in a dictionary of key-value pairs.

In some embodiments, the matching module 2553 is further configured to match the decomposed parts with the attack rules in the attack discrimination database one by one based on the regular expression.

In some embodiments, the generalization module 2554 is further configured to perform at least one of the following on the content in the attack string:

replacing a space with a continuous blank character;

replacing the number with zero;

In some embodiments, the segmentation module 2555 is further configured to segment the generalized attack string based on a preset special symbol as a segmentation point.

In some embodiments, the matching module 2553 is further configured to traverse the segmented attack character string in a forward order, and when a first keyword in the keyword list is matched, perform backtracking, where an adjacent symbol before the backtracked first keyword is used as a start position of the attack part;

In some embodiments, the apparatus further comprises a storing module 2557 configured to store the attack payload in a blockchain network.

In some embodiments, the apparatus further comprises a response module 2558, configured to, in response to a request for launching an application based on the attack load, obtain a requested attack load from the blockchain network and send the obtained attack load to an application server, so that the requested attack load is sent to the application server

testing the firewall based on the attack load;

It should be noted that the description of the apparatus according to the embodiment of the present invention is similar to the description of the method embodiment, and has similar beneficial effects to the method embodiment, and therefore, the description is omitted. The inexhaustible technical details in the processing device of the network attack provided by the embodiment of the invention can be understood according to the description of any one of the figures 3-7.

In the following, an exemplary application of the embodiments of the present invention in a practical application scenario will be described.

In the related art, when extracting attack payload, an unsupervised learning method is usually adopted to identify abnormal programs requested by different parameters under the same universal gateway interface, so as to extract parameters of malicious attack. However, the method only stops at extracting the parameters of the malicious attack, and does not further process the extracted parameters of the malicious attack.

In addition, the related art also provides a scheme for extraction, induction and maintenance by human, which is common in the scenario for WAF testing, for example, some open-source payload libraries. However, the manual method has the disadvantages of high maintenance cost, low efficiency and the like, and particularly, in the case of automatic scanning, the cost of manually performing attack payload extraction is higher.

The network attack processing method provided by the embodiment of the invention can extract the specific attack payload from the complete HTTP request message intercepted by the WAF. After extracting a specific attack payload, the method can be used for performing WAF test, analysis of intercepted content, and manual marking on the attack payload as a machine learning data set.

Referring to fig. 7, fig. 7 is an optional flowchart of a network attack processing method according to an embodiment of the present invention. As shown in fig. 7, the method comprises the steps of:

step S701: the server pulls the malicious request from the intercept log of the WAF.

Here, pulling the malicious request includes pulling a complete HTTP request from the intercept log of the WAF, where the HTTP request includes the client IP of the request, the request header, the content of the request body, the type of the hit intercept rule, the ID of the intercept rule, and the like.

For example, taking SQL injection attack requests as an example, the malicious requests pulled by the server are as follows:

GET

/cgi-bin/session/checklogin？appid＝wxcbc3ab3807acb685&openid＝oA0GbjokU2EOG3o_TvAmBNpvodlE&fskey＝v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmfWHERE 8610＝8610 AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1 HTTP/1.1

Host:ifzq.gtimg.cn

User-Agent:Go-http-client/1.1

Content-Type:application/json；charset＝utf-8

Cookie:

Accept-Encoding:gzip

Step S702: the server decomposes malicious requests pulled from the interception log of the WAF.

Here, the server decomposes the malicious request pulled in step S701, including decomposing the request header, Cookies, GET parameters, and POST parameters, and saves each decomposed part in a dictionary of key-value pairs. And when the decomposition is carried out, judging the decomposed content according to the structure: if beginning with { "and possibly a json string, attempting to parse using the format of the json string; and if the attack character string is in an XML form or a URL form, further decomposing to completely locate the attack character string on the premise of not dividing the attack character string as much as possible.

For example, taking the SQL injection attack request as an example, the result obtained by decomposing the SQL injection attack request is as follows:

{'appid':['wxcbc3ab3807acb685'],'openid':['oA0GbjokU2EOG3o_TvAmBNpvodlE'],'fskey':["v0ae789cc105c8d00bfcf5e7fe13a88b')AS wxmf WHERE 8610＝8610 AND(SELECT*FROM(SELECT(SLEEP(4)))wxmf)limit 1"]}

step S703: the server matches the decomposed malicious request with an attack discrimination database, judges whether an attack parameter exists, and if so, executes step S704; if not, finishing the extraction.

Here, for each decomposed part, matching is performed one by one in the form of a regular expression to determine the position of the attack string.

For example, taking the decomposed SQL injection attack request as an example, an attack discrimination module is invoked, and the SQL injection regular expression is used to match the attack discrimination module, and the matched attack character string is as follows:

step S704: and the server determines an attack payload from the matched attack character string.

Here, the determined attack string is subjected to a certain process so as to unify some randomly varying values in the attack string. Specifically, the number is replaced with 0; replacing continuous blank characters with a space; for a URL string shaped as HTTP:// beginning, replace { link }; for some hash strings consisting of consecutive numbers and upper and lower case letters, the hash is replaced by { hash } etc.

For example, taking the attack string matched in the SQL injection attack request as an example, the generalized result is as follows:

{hash}')AS wxmf WHERE 0＝0 AND(SELECT*FROM(SELECT(SLEEP(0)))wxmf)limit 0

as described above, the first v0ae789cc105c8d00bfcf5e7fe13a88b is generalized to { hash }, and numbers 8610, 4, 1 are all generalized to 0.

After the attack character string subjected to generalization processing is obtained, dividing the attack character string by taking a special symbol as a dividing point, wherein the special symbol comprises: +& \! "i'" - (); @ # $ < >, { }.

For example, taking the attack string after the generalization process as an example, the result of the segmentation is as follows:

after the segmentation processing, traversing the segmented attack character string from front to back in a forward sequence, judging whether the character string is in a preset keyword list, when a keyword in the keyword list is matched, backtracking, and taking a special symbol in front of the keyword as a starting position for an attack part in the attack character string. Similarly, traversing the segmented attack character string from back to front in a reverse order, when a keyword in the keyword list is matched, backtracking, and taking a special symbol behind the keyword as an end position for an attack part in the attack character string, so that the actual start position and the actual end position for the attack part in the attack character string can be successfully determined. In addition, the special symbols before and after the keyword are reserved here, so as to preserve the original attack characteristics.

In some embodiments, the preset keyword list may be obtained in the following manner. For example, the attack character strings extracted from the WAF are first deduplicated, then word frequency statistics is performed for different attack types, high-frequency words appearing in some attack character strings are extracted, and meanwhile, keywords applied to some documents can be collected to form a keyword list, for example, in the keyword list of SQL injection attack, SQL injection commonly used keyword phrases such as xor, insert, limit, load _ file, floor, update, and update xml are included.

Illustratively, taking the segmented attack string AS an example, according to the counted keyword list, traversing the segmented attack string from front to back in a positive order, matching a keyword AS, and meanwhile, extracting a symbol') forward; then, traversing the segmented attack character string from back to front in a reverse order, matching a keyword limit, and meanwhile, extracting a symbol 0 backwards, wherein the finally extracted part for attack is as follows:

')AS wxmf WHERE 0＝0 AND(SELECT*FROM(SELECT(SLEEP(0)))wxmf)limit 0

and after the starting position and the ending position of the part for attack are determined, cutting the part for attack, and continuing to match the cut part for attack by using the keyword list. If a character string which is not in the keyword list exists in the part for attack and the character string appears very frequently in the context, the character string is replaced by a { rand } character string, which indicates that the content at the position may not be fixed and that the parameter may be random. In addition, if the character string is at the beginning or end of the portion for attack, it is deleted.

For example, taking the extracted part for attack as an example, the result after performing the re-matching and replacing is as follows:

')AS{rand}WHERE 0＝0 AND(SELECT*FROM(SELECT(SLEEP(0))){rand})limit 0

step S705: and the server stores the extracted attack payload.

Here, for the extracted attack payload, it is associated with a complete data packet and stored in the database.

In other embodiments, the extraction of the attack payload may be performed by contrasting black and white traffic. As for some payload-based splice types, as for normal requests? id 1, exception request? And (4) identifying a malicious request as + and + sleep (4) in a manner similar to abnormal traffic-normal traffic, and extracting payload.

The network attack processing method provided by the embodiment of the invention can extract the specific attack payload from the complete HTTP request message intercepted by the WAF. After the payload is collected, the method can be used for testing the WAF, analyzing the intercepted content, marking the attack payload as a data set for machine learning, and the like.

For example, in the existing WAF interception record, only the complete HTTP request, the attack type, and the hit rule ID are recorded. However, there are many types of attacks that may actually be received for the same rule.

For example, eval ($ _ POST [ a ]) and eval (string. fromchar (xxxx)) may hit the same interception rule because there is both eval. In practice, however, the former is an attack statement for code execution, and the latter is an attack statement for a cross-site scripting attack. The network attack processing method provided by the embodiment of the invention can extract the specific attack payload from the attack request, so that the two situations can be effectively distinguished, and help is provided for the subsequent analysis.

For example, in the current data field, the number of marked Web attack data sets is very small. Furthermore, the HTTP CSIC 2010 dataset produced in the experimental environment was performed with the actual attack dataset extremely missing. The network attack processing method provided by the embodiment of the invention is used for extracting the attack payload, and marking is carried out by combining a machine and a worker, so that a large number of attack samples can be quickly obtained for relevant experimental operation.

Embodiments of the present invention provide a storage medium storing executable instructions, where the executable instructions are stored, and when executed by a processor, will cause the processor to execute a processing method of network attacks provided by embodiments of the present invention, for example, the method shown in fig. 3-5 and 7.

In some embodiments, the storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash memory, magnetic surface memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.

In some embodiments, executable instructions may be written in any form of programming language (including compiled or interpreted languages), in the form of programs, software modules, scripts or code, and may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.

By way of example, executable instructions may correspond, but do not necessarily have to correspond, to files in a file system, and may be stored in a portion of a file that holds other programs or data, such as in one or more scripts in a hypertext markup Language (HTML) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).

By way of example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices at one site or distributed across multiple sites and interconnected by a communication network.

In summary, the embodiment of the invention has the following beneficial effects:

The above description is only an example of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present invention are included in the protection scope of the present invention.

Claims

1. A method for processing network attacks, the method comprising:

acquiring a network attack request intercepted by a firewall;

and determining the replaced attack part as an attack load.

2. The method of claim 1, wherein obtaining the network attack request intercepted by the firewall comprises:

obtaining at least one of the following contents included in the network attack request: the internet protocol address of the request client, the request header, the content of the request body, the type of the hit interception rule, and the identity of the interception rule.

3. The method of claim 2, wherein the decomposing the obtained network attack request comprises:

decomposing a request header, Cookies, a Get parameter and a Post parameter which are included in the network attack request, and storing each decomposed part in a dictionary form of key value pairs;

the matching of the decomposed network attack request with the attack discrimination database includes:

and matching each decomposed part with the attack rules in the attack discrimination database one by one based on the regular expression.

4. The method of claim 1, wherein the generalizing the attack string comprises:

performing at least one of the following processes on the content in the attack string:

replacing a space with a continuous blank character;

replacing the number with zero;

a hash string consisting of consecutive numbers and upper and lower case letters is replaced with a hash string.

5. The method according to claim 1, wherein the dividing the generalized attack string comprises:

and based on the preset special symbol as a segmentation point, carrying out segmentation processing on the attack character string after generalization processing.

6. The method of claim 1, wherein before matching the segmented attack string to the keyword list, the method further comprises:

carrying out word frequency statistics on words of different attack types, and taking the words with the frequency higher than a preset frequency as keywords; alternatively, the first and second electrodes may be,

and collecting keywords of the application from the document to obtain the keyword list.

7. The method of claim 6,

the step of matching the segmented attack character string with the keyword list to determine the attack part in the attack character string comprises the following steps:

traversing the segmented attack character string in a forward order, and when a first keyword in the keyword list is matched, backtracking, wherein an adjacent symbol before the backtracked first keyword is used as the starting position of the attack part;

the first keyword is a first matched keyword when the attack character string is traversed in a forward order, and the second keyword is a first matched keyword when the attack character string is traversed in a reverse order;

the method further comprises the following steps:

deleting at least one of the following character strings in the attack part:

a character string which is not in the keyword list and is located at the starting position of the attack part;

and the character string is not in the keyword list and is positioned at the end position of the attack part.

8. The method of claim 1, further comprising:

storing the attack payload in a blockchain network;

responding to the request for developing the application based on the attack load, acquiring the requested attack load from the block chain network and sending the attack load to an application server so as to enable the application server to develop the application

testing the firewall based on the attack load;

9. An apparatus for processing network attacks, the apparatus comprising:

10. A storage medium storing executable instructions for causing a processor to perform the method of handling a network attack according to any one of claims 1 to 8 when executed.